![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![[FREE EBOOKS] Machine Learning Hero, AI-Assisted Programming for Web and Machine Learning & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What’s new in Android’s April 2025 Google System Updates [U: 4/18]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
Security news weekly round-up - 18th April 2025
We have a full house today. Seven articles discussing different topics in cybersecurity. It's been a while since we have had such a thing in the almost 5 years of writing and publishing this series. The topics solidify my statement that we live in a world where humans play a key role in cybersecurity, and we are at the forefront of stopping cyber criminals from achieving their aims either through vigilance, technical skills, or spending money on security programs that help the cybersecurity community. My name is Habdul Hazeez. I welcome you all to this week's edition of our security review here on Dev. I apologize for missing last week's edition. It was due to factors beyond my control. Let's begin. LLMs can't stop making up software dependencies and sabotaging everything There is a reason why OpenAI — owner of ChatGPT — says ChatGPT can make mistakes. Verify important information. Or, DeepSeek saying AI-generated. For reference only. Both drive home the same point: verify whatever the LLM spits out. Now, the question: How many people do this? From this article, it shows not so much. I mean, you're working on a project using an LLM for coding, or what's now called vibe coding, and you can't tell when it gives you a bogus package name? How? I want to know. Nonetheless, the bad guys know this and they're exploiting this to their advantage. So, please, stay safe and double-check your package names! From the article: The problem is, these code suggestions often include hallucinated package names that sound real but don’t exist. I’ve seen this firsthand. You paste it into your terminal and the install fails – or worse, it doesn’t fail, because someone has slop-squatted that exact package name. Even worse, when you Google one of these slop-squatted package names, you’ll often get an AI-generated summary from Google itself confidently praising the package, saying it’s useful, stable, well-maintained. But it’s just parroting the package’s own README, no skepticism, no context. To a developer in a rush, it gives a false sense of legitimacy. Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft There is no more let's catch them all, and see which one is of the highest value.". It's now we catch the bigger targets, and save ourselves from unnecessary filtering. I mean who does not love optimization? Just asking. That's what this phishing attack is about and it's dubbed precision-validating phishing. Wow! Talk about being spot on, there you have it. From the article: Unlike "spray-and-pray" credential harvesting campaigns that typically involve the bulk distribution of spam emails to obtain victims' login information in an indiscriminate fashion, the latest attack tactic takes spear-phishing to the next level by only engaging with email addresses that attackers have verified as active, legitimate, and high-value. CVE program averts swift end after CISA executes 11-month contract extension Talk about a close call, this is it. Can you imagine a cybersecurity world without CVEs? I can't. Luckily, we'll not experience it any time soon. Nonetheless, this shows the importance of funding in security. Now, you might still ask: Why is this important? Here is why: MITRE's CVE program is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders’ vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response. If MITRE’s funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale. Mobile Apps Fail Basic Security—Posing Serious Risks to Enterprises Who do we trust? That's the first question that I asked myself when I read the article's title. By default, we think that all the apps in the official App stores have gone through thorough vetting before they appear, so they should be safe. Turns out, that's not the case. From the article: From the mobile apps examined, 83 Android apps (4 from within Google Play Store’s top 100 popularity list) were found to use unprotected or misconfigured cloud storage. In some of the stores the file indexes are world viewable, and in others the content can be accessed without credentials. Since criminals are continuously scanning the internet for such unprotected repositories, this is a serious threat to the data they contain. Microsoft Warns of Node.js Abuse for Malware Delivery It's no surprise, that threat actors tend to abuse technology. From Living off the Land attacks to tricking users into running malicious PowerShell scripts, and so on. In this case, it's Node.js. Here is why: The open source cross-platform runtime environment Node.js is popular among developers, allowing the
We have a full house today. Seven articles discussing different topics in cybersecurity. It's been a while since we have had such a thing in the almost 5 years of writing and publishing this series.
The topics solidify my statement that we live in a world where humans play a key role in cybersecurity, and we are at the forefront of stopping cyber criminals from achieving their aims either through vigilance, technical skills, or spending money on security programs that help the cybersecurity community.
My name is Habdul Hazeez. I welcome you all to this week's edition of our security review here on Dev. I apologize for missing last week's edition. It was due to factors beyond my control.
Let's begin.
LLMs can't stop making up software dependencies and sabotaging everything
There is a reason why OpenAI — owner of ChatGPT — says ChatGPT can make mistakes. Verify important information. Or, DeepSeek saying AI-generated. For reference only. Both drive home the same point: verify whatever the LLM spits out.
Now, the question: How many people do this? From this article, it shows not so much. I mean, you're working on a project using an LLM for coding, or what's now called vibe coding, and you can't tell when it gives you a bogus package name? How? I want to know.
Nonetheless, the bad guys know this and they're exploiting this to their advantage. So, please, stay safe and double-check your package names!
From the article:
The problem is, these code suggestions often include hallucinated package names that sound real but don’t exist. I’ve seen this firsthand. You paste it into your terminal and the install fails – or worse, it doesn’t fail, because someone has slop-squatted that exact package name.
Even worse, when you Google one of these slop-squatted package names, you’ll often get an AI-generated summary from Google itself confidently praising the package, saying it’s useful, stable, well-maintained. But it’s just parroting the package’s own README, no skepticism, no context. To a developer in a rush, it gives a false sense of legitimacy.
Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft
There is no more let's catch them all, and see which one is of the highest value.". It's now we catch the bigger targets, and save ourselves from unnecessary filtering. I mean who does not love optimization? Just asking.
That's what this phishing attack is about and it's dubbed precision-validating phishing. Wow! Talk about being spot on, there you have it.
From the article:
Unlike "spray-and-pray" credential harvesting campaigns that typically involve the bulk distribution of spam emails to obtain victims' login information in an indiscriminate fashion, the latest attack tactic takes spear-phishing to the next level by only engaging with email addresses that attackers have verified as active, legitimate, and high-value.
CVE program averts swift end after CISA executes 11-month contract extension
Talk about a close call, this is it. Can you imagine a cybersecurity world without CVEs? I can't. Luckily, we'll not experience it any time soon. Nonetheless, this shows the importance of funding in security.
Now, you might still ask: Why is this important? Here is why:
MITRE's CVE program is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders’ vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response.
If MITRE’s funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale.
Mobile Apps Fail Basic Security—Posing Serious Risks to Enterprises
Who do we trust? That's the first question that I asked myself when I read the article's title. By default, we think that all the apps in the official App stores have gone through thorough vetting before they appear, so they should be safe. Turns out, that's not the case.
From the article:
From the mobile apps examined, 83 Android apps (4 from within Google Play Store’s top 100 popularity list) were found to use unprotected or misconfigured cloud storage. In some of the stores the file indexes are world viewable, and in others the content can be accessed without credentials. Since criminals are continuously scanning the internet for such unprotected repositories, this is a serious threat to the data they contain.
Microsoft Warns of Node.js Abuse for Malware Delivery
It's no surprise, that threat actors tend to abuse technology. From Living off the Land attacks to tricking users into running malicious PowerShell scripts, and so on. In this case, it's Node.js.
Here is why:
The open source cross-platform runtime environment Node.js is popular among developers, allowing them to execute JavaScript code outside of web browsers. However, this also makes it tempting for threat actors, who can leverage it to disguise their malware and bypass security mechanisms.
Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution
What's interesting about this vulnerability? It has a CVSS score of 10. That's like, this is super critical. The telling factor is that the vulnerability allows arbitrary code execution. This now begs the question: How what led to the vulnerability in the first place?
It's the following:
The issue stems from improper handling of SSH protocol messages that essentially permit an attacker to send connection protocol messages prior to authentication. Successful exploitation of the shortcomings could result in arbitrary code execution in the context of the SSH daemon.
Further exacerbating the risk, if the daemon process is running as root, it enables the attacker to have full control of the device.
CapCut copycats are on the prowl
The team at Welivesecurity has a good sense of humor when it comes to naming things and selecting the titles for their articles. This is one is yet another impressive one. Okay, back to the topic.
In this campaign (or attack if you'll it that way), attackers are abusing the trust in CapCut to lure users into an online Pro version. If the user goes ahead with the entire process, they will unknowingly install a Remote Access Software (RAT) that can give attackers command of their computer.
From the article:
These kinds of threats also loom large on corporate networks, as threat actors can, for example, distribute portable, self-contained executables for legitimate remote monitoring and management (RMM) software that circumvents admin privileges and obviates the need for full software installation.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
